Controllerless Networks

We are seeing what appears to be neighbors listed as being detected both wired and wirelessly using a match rule called "Minus-One-Match" which appears to detect consecutive mac-addresses.  One such example lists 38:ED:18:BA:B8:31 as the wired mac and 38:ED:18:BA:B8:30 as the wireless.  However further review shows that mac address ending in 31 has the SSID xxxx-pwhse and the mac address ending in 30 has the SSID xxxx-user

Thus both macs are wireless macs, likely the same device but no mac is identified showing wired connectivity.  Likewise a review of the site's switches does not reflect any mac beginning with 38:ED:18 attached to the network.  This was on a detection most recently made within the past few minutes. 

 

Signal strength is high enough to identify as a suspect rogue but LAN connection identification appears to be a false positive.  The SSID matches are not replicating ours so this is not an instance of SSID spoofing.

 

Thus I see this as a false postive and probable neighbor given the multi-tenant nature of the site.

 

Question, am I interpreting the function of the Minus-one-Match method correctly and if so, how does one disable this method as it is is obviously causing false positives?

Are those wireless mac addresses your access points, or no?

no they are not our APs and they are not physically attached to our network, they appear to be neighbors being automatically classified as rogues, best I can tell is the Minus-one-match method is assuming that two consecutive macs must represent wired and wireless interfaces but does not take into account two consecutive wireless macs, E.g. 2.4 and 5 Ghz radios on one AP having separate mac addresses.

 

One of those macs would need to be wired for it to classify using the +1 rule.

Doesn’t seem so, else why would both macs have unique SSIDs associated with them?

​​​​​
Alan Mercer
Technical Systems Architect
Catholic Charities Information Technology
1966 Greenspring Dr.
Suite 200
Timonium, Md. 21093
667-600-2270
Fax: (410) 561-7755
amercer@cc-md.org

Please note phone number change above effective on 9/23/2016

For support issues please contact the Support Desk at : (1-844-323-5477) or support@cc-md.org


To find out more about Catholic Charities please visit: www.cc-md.org

[cid:image001.png@01CF63AF.EE50C0D0] [cid:image002.png@01CF63AF.EE50C0D0]
Please follow us on Facebook and Twitter
[cid:image003.png@01CF63AF.EE50C0D0]
Our Mission: Inspired by the Gospel mandates to love, serve and teach, Catholic Charities provides care and services to improve the lives of Marylanders in need.
Disclaimer: This message is confidential, intended only for the named recipient(s), and may contain information that is legally privileged. If you are not the intended recipient(s), you are notified that the disclosure, dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and delete this e-mail from your computer. Thank you.

My remark is that is how it is supposed to work.  Have you seen the article here?  http://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-troubleshoot-rogue-on-IAP/ta-p/213315

 

That article does not explain the plus one rule nor why two consecutive macs both associated with wireless SSIDs would be detected as wired.  Everything about this still says false positive and and one that would likely occur quite frequently.  It appears to be a flawed signature used for rogue detection and would not be the first bug in Airwave and the instant OS I have reported in our short time using the product.

 

I'm at the point that I will have to open a support ticket on this given the answer is not here.

 

That is the best approach.

Doesn’t seem so, else why would both macs have unique SSIDs associated with them?

​​​​​
Alan Mercer
Technical Systems Architect
Catholic Charities Information Technology
1966 Greenspring Dr.
Suite 200
Timonium, Md. 21093
667-600-2270
Fax: (410) 561-7755
amercer@cc-md.org

Please note phone number change above effective on 9/23/2016

For support issues please contact the Support Desk at : (1-844-323-5477) or support@cc-md.org


To find out more about Catholic Charities please visit: www.cc-md.org

[cid:image001.png@01CF63AF.EE50C0D0] [cid:image002.png@01CF63AF.EE50C0D0]
Please follow us on Facebook and Twitter
[cid:image003.png@01CF63AF.EE50C0D0]
Our Mission: Inspired by the Gospel mandates to love, serve and teach, Catholic Charities provides care and services to improve the lives of Marylanders in need.
Disclaimer: This message is confidential, intended only for the named recipient(s), and may contain information that is legally privileged. If you are not the intended recipient(s), you are notified that the disclosure, dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and delete this e-mail from your computer. Thank you.